By using AWS re:Post, you agree to the AWS re:Post Terms of Use

Troubleshoot VPN Site to Site between AWS and Azure

0

I have set up VPN Site to Site between AWS and Azure. Both tunnel are UP. After setting up,

  • Azure VPN gateway: 0KB Data Out, 5.91KB Data In
  • AWS VPN tunnel: 184 KB Data Out, 0KB Data In
  • Cannot ping and tracert between AWS an Azure I have checked routing, security groups but dont find any errors. Please help me to fix this
3 Answers
0

Hi,

May I know if it is a managed endpoints by AWS and Azure for the Site-to-Site VPN connection ? If so, please refer to this document [1] which might help configuring the right parameters for the setup and to validate the configuration.

Also, I would suggest enabling site-to-site VPN logs [2] which will help narrow down the issue. Please check for any asymmetric routing issues if you have built both the tunnels.

References:

[1] https://repost.aws/knowledge-center/vpn-azure-aws-bgp

[2] https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html#log-benefits

AWS
answered a year ago
profile picture
EXPERT
reviewed a year ago
0

Here is how I would start looking at the VPN from the AWS Side [Assuming you can see the IPsec tunnel is up on your Console/CloudWatch Metrics]:

  1. What is the gateway type associated with the VPN ( VGW or TGW or Cloud WAN ) ?
  2. Is this VPN Static Route VPN or Dynamic Routed ?
  3. Is the VPC CIDR on AWS Side different than VNET on Azure Side ?
  4. If Static route VPN did you add the routes to Azure VPNET at the time of creation of the VPN ?
  5. Under the VPN details do you see anything other than 0.0.0.0/0 in Local IPv4 Network CIDR and Remote IPv4 Network CIDR ?
  6. If VPN is associated with VGW, check below: a. Is the VGW associated to a VPC ? b. Is the route in there a router in VPC route table for the Azure VNET with the next-hop as VGW ?
  7. If VPN in associated with TGW, check below: a. Is VPN associated and propogated in the TGW route table? b. Is there a route to the VPC CIDR from the TGW ? c. Is there a route from VPC to the TGW for Azure VNET ?

You can use VPC reachability analyzer to pin point the component where the issue exists. You will need to validate the same things from Azure side as well. Let me know if the above helps, if you would need more detailed tshoot, feel free to open a support case

profile pictureAWS
EXPERT
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions